SMB3 signatures

I have only Windows Server 2016 and 10 machines on my network. I have enabled SMB3 encryption on all the servers that have file shares on them and I have configures SMB Digitally Signing to Required for all the machines in the domain. I would like to find out if my SMB connections are digitally signed. I used Wireshark to capture a connection between my Windows 10 1709 machine and Windows Server 2016 file share.

I cant attach a screenshot but in the "Negotiate Protocol Response" packet it shows the "Signature" under SMB2 Header as 00000000000000000000000000000000 so I assume SMB digitally signing isn't working?

The weird thing is, if I open an "Encrypted SMB3" packet and expand the SMB2 Transform Header I can see a Signature option which says: ee51ab3d9aa14b72cb8df4302b582167

1 Answer

SMB3 supports signing. The key is negotiated during the Session Setup phase. You should see the first signature in the Session Setup Response.

SMB (including SMB2 and SMB3) can only use signing if both sides support this option. The Session Setup Response is the first opportunity to do this.

SMB-encryption is enabled on a per-share base. Hence the first messages of the SMB connection will exchanged in plain text. Once a Tree Connect has completed all following traffic will be encrypted and signed.